Meta Fined €390 Million by Ireland’s Data Protection Commission
Ireland’s Data Protection Commission (DPC) has announced its decision to fine Meta Ireland, formally Facebook Ireland Ltd., €390 million following the conclusion of two inquiries into its data processing operations that were found to breach European Union privacy laws.
Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million for breaches of the GDPR relating to its Facebook service, and €180 million for breaches in relation to its Instagram service.
The inquiries concerned two complaints about the social media services. One complaint was made by an Austrian data subject in relation to Facebook; the other was made by a Belgian data subject in relation to Instagram.
The complaints were made in 2018, when GDPR came into operation and relate to Facebook and Instagram requiring users to accept a new terms of service contract that included the processing of user data, including behavioural advertising. The services would not be accessible if users declined to accept the new terms.
The DPC found the updates to be insufficiently clear. Following consultation with the European Data Protection Board, the DPC found that the ‘contract’ was not sufficient as a defence for its business practices.
Meta Ireland has also been directed to bring its data processing operations into compliance within a period of three months.
In response to the findings, a blog post from Meta stated that the company intends to appeal the decisions saying, ‘We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.’
It also strongly denied that the findings would impact on personalised advertising saying, ‘We wish to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms.’
The statement also said, ‘The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.’
The decision follows the fining of Meta by Ireland’s Data Protection Commission for €1.3 billion in the last 18 months including for a 2021 data leak and the company’s handling of teen data on Instagram in September 2022.
A further ruling following a similar investigation relating to WhatsApp, also owned by Meta, is expected to take place next week.